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This  report  provides  the  status  of  prior  recommendations  from  an  electronic 
data  processing  audit  (97DP-04)  at  the  Department  of  Revenue.  Of  the  16 
initial  recommendations,  12  are  implemented  and  4  are  not  implemented. 
The  prior  recommendations  not  fully  implemented  address: 

*     Periodic  review  of  processing  edit  adjustments. 

►  Operating  system  security  procedures. 

►  Electronic  access  controls. 

-     Internal  security  evaluations. 


98DP-08 


Direct  comments/inquiries  to: 
Legislative  Audit  Division 
Room  135,  State  Capitol 
PO  Box  201705 
Helena  MT  59620-1705 


MONTANA  STATE  LIBRARY 

3  0864  0014  1407  0 


EDP  AUDITS 


Electronic  Data  Processing  (EDP)  audits  conducted  by  the  Legislative  Audit  Division  are 
designed  to  assess  controls  in  an  EDP  environment.  EDP  controls  provide  assurance  over  the 
accuracy,  reliability,  and  integrity  of  the  information  processed.  From  the  audit  work,  a 
determination  is  made  as  to  whether  controls  exist  and  are  operating  as  designed.  In  performing 
the  audit  work,  the  audit  staff  uses  audit  standards  set  forth  by  the  United  States  General 
Accounting  Office. 

Members  of  the  EDP  audit  staff  hold  degrees  in  disciplines  appropriate  to  the  audit  process. 
Areas  of  expertise  include  business  and  public  administration. 

EDP  audits  are  performed  as  stand-alone  audits  of  EDP  controls  or  in  conjunction  with 
financial -compliance  and/or  performance  audits  conducted  by  the  office.  These  audits  are  done 
under  the  oversight  of  the  Legislative  Audit  Committee  which  is  a  bicameral  and  bipartisan 
standing  committee  of  the  Montana  Legislature.  The  committee  consists  of  six  members  of  the 
Senate  and  six  members  of  the  House  of  Representatives. 
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The  Legislative  Audit  Committee 
of  the  Montana  State  Legislature: 

This  is  a  follow-up  report  of  our  EDP  audit  (97DP-04)  of  general  and  application 
controls  at  the  Department  of  Revenue.  The  original  report  included  recommendations 
applicable  to  the  Computer  Assisted  Mass  Appraisal  System  (CAMAS),  Revenue 
Control  System  (RCS),  Individual  Income  Tax  System  (IIT),  and  Delinquent  Accounts 
Receivable  System  (DAR).  This  report  discusses  the  prior  recommendations  not  yet 
fully  implemented  by  the  department. 

We  thank  the  Department  of  Revenue  for  their  cooperation  and  assistance  throughout 
the  review. 

Respectfully  submittga\ 

'  Scott  A.  Seacat 
Legislative  Auditor 


Room  135,  State  Capitol  Building  PO  Box  201705  Helena,  MT  59620-1705 
Phone  (406)  444-3 1 22     FAX  (406)  444-9784     E-Mail  lad@mt.gov 
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Chapter  I  -  Introduction 


Introduction 


We  performed  a  follow-up  review  of  the  electronic  data  processing 
audit  (97DP-04)  of  the  Department  of  Revenue.  The  original  report, 
issued  in  December  of  1996,  contained  16  recommendations  for 
improving  existing  controls  within  the  department's  electronic  data 
processing  environment.  This  report  outlines  the  status  of  the  prior 
recommendations  partially  or  not  implemented. 


Background  on  Original 
Audit 


The  original  audit  reviewed  general  controls  over  the  department's 
AS/400  computer  which  processes  property  tax  data  for  the 
Computer  Assisted  Mass  Appraisal  System  (CAMAS).  The  audit 
also  evaluated  application  controls  over  the  Individual  Income  Tax 
(IIT)  system,  the  Delinquent  Accounts  Receivable  (DAR)  system, 
and  CAMAS.  Except  for  CAMAS,  the  systems  noted  above  process 
data  on  the  Department  of  Administration's  central  mainframe 
computer. 


Follow-up  Scope 


The  objective  of  our  follow-up  audit  was  to  determine  the  imple- 
mentation status  of  the  original  audit  recommendations.  We 
interviewed  department  personnel  and  reviewed  supporting 
documentation.  Listed  below  are  prior  recommendations  the 
department  has  implemented  since  the  original  audit. 


Establish  procedures  to  ensure  IIT  address  changes  do  not  over- 
write existing  DAR  address  data. 

Document  IIT  system  edits  for  management  and  personnel 
review. 

Document  and  communicate  department  policy  for  adjusting  IIT 
system  processing  tolerance  errors. 

Implement  cost-effective  physical  security  controls  within  the 
computer  facility. 

Secure  backup  information  in  an  off-site  location  away  from  the 
computer  facility. 

Evaluate  and  document  AS/400  operating  system  installation 
parameters. 

Develop  security  procedures  over  the  AS/400  operating  system 
as  required  by  department  policy. 

Implement  procedures  to  require  users  to  change  their  CAMAS 
system  passwords. 

Review  employee  access  privileges  to  CAMAS  on  a  scheduled 
basis  and  restrict  employee  access  in  accordance  with  job  duties. 
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Annually  review  employee-owned  properties,  and  properties 
owned  by  their  family  members,  to  ensure  compliance  with 
department  policy,  which  prohibits  employees  from  making 
system  changes  to  those  properties  in  CAMAS. 
Establish  procedures  to  ensure  internal  audit  recommendations 
for  CAMAS  are  implemented. 

Overall  audit  results  are  outlined  below. 


Table  1 
Implementation  Status  of  Recommendations 


Implemented 
Not  Implemented 
Total  Recommendations 
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Recommendation  Status 


This  chapter  discusses  the  status  of  prior  recommendations  not  fully 
implemented  by  the  department.  Recommendations  which  are  fully 
implemented  are  listed  beginning  on  page  one  of  the  report.  The 
department  concurs  with  the  prior  recommendations  and  continues 
its  progress  toward  complete  implementation. 


Income  Tax  Return 
Adjustments  Should  be 
Supported 


In  prior  recommendation  #3,  we  recommended  the  department 
establish  procedures  for  periodic  review  of  processing  edit 
adjustments  completed  by  Office  Audit  Bureau  employees. 


The  recommendation  is  not  implemented.  Department  procedures 
provide  that  employees  document  reasons  why  they  clear  edit  error 
conditions  or  make  adjustments  to  tax  returns.  Out  of  58  tax  returns 
reviewed  during  the  original  audit,  one  return  included  an 
underpayment  penalty  of  $414  which  an  employee  adjusted  to  zero 
without  supporting  documentation.  Upon  further  review,  we  found 
the  individual  taxpayer's  prior  year  return  also  included  a  $500 
underpayment  penalty  which  was  also  adjusted  to  zero  without 
supporting  documentation.  The  department  implemented  collection 
procedures  following  the  original  audit. 

The  IIT  system  is  designed  to  allow  employees  to  override  error 
conditions  upon  employee  discretion.  Because  the  IIT  system  allows 
employees  to  override  warning  edits,  employees  can  make 
unauthorized  tax  return  adjustments  or  process  the  returns  without 
correcting  errors.  The  examples  we  found  represent  how  department 
employees  can  override  IIT  system  error  conditions  and  allow  tax 
returns  to  process  without  due  assessment  of  additional  tax  or 
penalty. 

Periodic  management  review  of  adjustments  or  error  overrides 
completed  by  Office  Audit  Bureau  employees  would  improve  tax 
return  processing  controls  and  help  ensure  compliance  with 
department  procedures.  The  department  has  added  an  enhancement 
request  to  produce  a  report  of  processing  edit  adjustments. 


Page  3 


Chapter  II  -  Recommendation  Status 


Restrict  Access  Per  Job 
Duties 


In  prior  recommendation  #12 A,  we  recommended  the  department 
restrict  employee  access  to  department-wide  applications  according 
to  job  duties. 


The  recommendation  is  not  implemented.  The  original  audit 
found  employees  with  unnecessary  access  to  department-wide 
applications  (IIT,  DAR,  RCS).  Specifically,  we  found  programmers 
with  unlogged  write  access  to  production  programs  and  data.  Other 
employees  had  access  to  applications  which  they  no  longer  needed 
because  their  job  duties  had  changed. 

During  the  follow-up,  we  found  the  department  had  not  modified 
employee  access  privileges.  The  employees  we  identified  with 
unnecessary  access  to  the  IIT  system  could  change  income  tax  return 
data  such  as  taxable  income,  withholding,  exemptions,  and 
deductions.  We  also  found  employees  who  could  adjust  revenue 
collection  amounts  in  RCS  or  reduce  tax  receivable  balances  in 
DAR.  Overall,  the  employees  no  longer  required  the  access 
privileges  based  on  their  job  duties. 

To  improve  access  controls,  the  department  tried  to  develop  an 
automated  procedure  to  log  and  review  all  access  to  systems  by 
someone  other  than  the  primary  programmer.  However,  at  the  time 
of  our  follow-up,  the  department  determined  the  automated 
procedure  would  not  operate.  The  department  plans  to  establish  an 
alternative  solution. 


Document  the  Access 
Provided 


In  recommendation  #12B,  we  recommended  the  department 
document  the  access  provided  to  employees  for  department-wide 
applications. 


The  recommendation  is  not  implemented.  The  prior  audit  found 
employee  access  to  department-wide  applications  (IIT,  DAR,  RCS) 
was  documented  for  some,  but  not  all,  employees  on  authorized 
request  forms.  The  department  concurred  with  the  recommendation 
and  intended  for  its  automated  procedure  to  record  instances  of 
unauthorized  employee  access.  Although  the  procedure  could  help 
the  department  detect  unauthorized  access  to  its  applications,  it  will 
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not  prevent  unauthorized  employees  from  viewing  or  changing 
application  data. 

Authorized  request  forms  provide  initial  documentation  of  requested 
access  and  can  help  prevent  unauthorized  access  to  department 
applications.  In  addition  to  documenting  their  business  need  for  the 
access  requested,  the  request  forms  could  be  used  to  document  the 
employee's  agreement  to  abide  by  department  policy  concerning 
access  to  confidential  information. 


Disaster  Recovery  Plans  In  recommendation  #13,  we  recommended  the  department 

Should  be  Completed  document  and  test  formal  disaster  recovery  procedures  for 

department  mission-critical  applications. 

The  recommendation  is  implemented.  The  department  concurs 
with  this  recommendation  and  has  participated  in  two  disaster 
recovery  drills  coordinated  by  the  Department  of  Administration 
(DOA)  at  the  Weyerhaeuser  hotsite.  As  a  result,  the  department 
successfully  restored  its  CAMAS  and  Liquor  Tax  systems.  During 
future  recovery  tests,  the  department  intends  to  work  with  the  DOA 
to  recover  its  mainframe  applications  and  telecommunications 
between  the  mainframe  and  the  AS/400  computer  system. 

This  recommendation  focuses  on  department  responsibilities  for 
disaster  recovery  in  accordance  with  the  Montana  Operations 
Manual  (MOM)  section  1-0240.00.  The  MOM  outlines  agency 
responsibilities  which  include  assigning  recovery  team  member 
responsibilities;  assessing  information  and  resource  requirements 
necessary  to  maintain  applications;  and  determining  alternate 
procedures  which  may  be  necessary  if  recovery  cannot  be  completed 
within  required  time  frames. 

Disaster  recovery  planning  is  an  ongoing  process  and  requires 
continued  participation  during  hotsite  recovery  drills.  As  the 
department  continues  to  work  with  the  DOA,  the  department  should 
prioritize  application  recovery  procedures,  define  department 
personnel  responsibilities,  and  formally  document  overall  recovery 
procedures. 
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Internal  Evaluations  of  In  recommendation  #14,  we  recommended  the  department 

Security  implement  formal  policies  which  address  safeguarding  information 

technology  resources  in  accordance  with  state  law. 

The  recommendation  is  not  implemented.  Section  2-15-1 14, 
MCA,  requires  the  department  to  be  ".  .  .  responsible  for  assuring 
an  adequate  level  of  security  for  all  data  and  information  technology 
resources  within  the  department  and  shall:  ...  (4)  ensure  internal 
evaluations  of  the  security  program  for  data  information  technology 
resources  are  conducted."  The  prior  audit  found  the  department  had 
not  implemented  policies  which  address  safeguarding  data,  and 
information  technology  resources. 

Prior  audit  recommendations  not  yet  implemented  address  income 
tax  tolerance  level  and  processing  edit/error  correction  procedures; 
unnecessary  employee  access  to  applications;  and  documenting 
employee  access  to  department-wide  applications.  Department-wide 
policies  could  help  ensure  data  processing  activities  are  controlled 
and  completed  according  to  management's  expectations. 

The  department  is  in  the  process  of  evaluating  and  revising  its 
information  technology  environment  through  Project  META.  This 
project  includes  a  revision  of  department-wide  core  business 
functions;  development  of  comprehensive  strategic  policies; 
organizational  restructuring;  and  replacement  of  outdated 
information  processing  systems.  In  December  1998,  the  department 
intends  to  implement  strategic  policies  over  its  information 
technology  resources  in  accordance  with  state  law. 
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Montana  Department  of 
Sam  W.  Mitchell  Building l\CVClNUC Helena,  Montana  59620-2701 


Director's  Office  RFX/FNLJP  P.  O.  Box  202701 


May  29,  1998 


Mr.  Scott  A.  Seacat,  Legislative  Auditor 
Legislative  Audit  Division 
Room  135  State  Capitol 
PO  Box  201705 
Helena,  MT  59620-1705 

Dear  Scott: 

This  is  the  Department  of  Revenue  (DOR)  response  to  the  1998  EDP  Follow-up  Audit 
Report. 

Recommendation  #3.  Establish  procedures  for  periodic  review  of  processing  edit 
adjustments  completed  by  Office  Bureau  employees. 

Concur.  The  Department's  current  plans  will  not  result  in  the  replacement  of  I  IT  for  at 
least  two  years.  In  that  light,  we  believe  it  is  appropriate  to  develop  an  automated 
adjustment  review  report  for  department  management.  As  referenced  in  the  report,  the 
NT  system  produces  audit  records.  We  are  currently  assessing  alternatives  to  provide 
a  periodic  reporting  capability  associated  with  the  audit  record.  A  recommendation  to 
DOR  mangement,  with  estimated  cost  of  development  and  operation,  will  be  prepared 
by  August,  1998.  This  provides  the  opportunity  for  any  resulting  development  to  be 
included  in  IIT  changes  made  prior  to  the  next  tax  season. 

Recommendation  #12. 

A.  Restrict  employee  access  to  department-wide  applications  according  to  job 
duties. 

Concur.  Currently,  business  lead  personnel  determine  and  submit  authorizations  to 
access  various  applications.  By  July  1,  1998,  the  DOR  will  implement  a  procedure  to 
identify  employees  who  have  changed  positions  and  should  have  their  access 
authorizations  examined  for  appropriate  changes.  We  will  also  document  the  need  for 
an  automated  personnel  "move/termination"  alert  to  be  generated  by  the  MT  PRRIME 
human  resources  module.  This  would  allow  immediate  notification  of  a  change  in 
employee  status,  which  could  require  modification  to  their  authorized  access. 
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B.   Document  employee  access  to  department-wide  applications. 

Concur.  As  mentioned  above,  authorizations  to  access  various  applications  are 
determined  by  business  lead  personnel.  A  procedure  will  be  implemented  by  July  1, 
1998,  to  ensure  the  responsible  business  lead  receives  and  retains  appropriate  access 
authorization  requests.  The  ongoing  procedure  will  include  a  periodic,  preferably  semi- 
annual, "audit"  of  each  application  to  ensure  that  all  authorized  users  have  appropriate 
access  request  forms  on  file.  Access  will  be  removed  for  users  without  the  required 
forms.  As  noted  in  the  EDP  Follow-up  Audit  Report,  the  request  forms  will  include  an 
indication  of  employee  acceptance  of  department  information  confidentiality  policies. 

Recommendation  #13.  Prioritize  applications  recovery  procedures,  define 
personnel  responsibilities  and  formally  document  overall  recovery  procedures. 

Concur.  The  Department  of  Administration  provides  a  state  government-wide  disaster 
recovery  coordination  and  hot  site  exercise  plan,  which  we  participate  in.  We  have 
participated  in  disaster  recovery  drills  and  hot  site  exercises  involving  our  AS/400 
applications.  We  have  approached  disaster  recovery  on  an  application-by-application 
basis  rather  than  through  a  set  of  department  policies  and  a  comprehensive  disaster 
recovery  plan.  To  date,  that  plan  has  not  provided  us  the  opportunity  to  test  recovery 
for  our  mainframe  applications. 

Near-term  development  of  such  a  plan  would  require  significant  department  resources 
at  the  same  time  we  are  addressing  Year  2000  compliance  and  POINTS  ("Process 
Oriented  Integrated  Tax  System")  development.  POINTS,  due  to  its  integrated  design 
of  both  the  database  and  applications,  will  provide  us  the  opportunity  to  develop  a 
comprehensive  database  and  application  recovery  plan  for  our  new  generation  of 
applications. 

Recommendation  #14.  Implement  formal  policies  which  address  safeguarding 
information  technology  resources  in  accordance  with  state  law. 

Concur.  We  believe  this  recommendation  reiterates  concerns  expressed  in  other  audit 
recommendations,  particularly  those  related  to  employee  access  authorization  and 
security.  As  indicated,  we  concur  with  those  recommendations  and  recognize  that 
Recommendation  #14  adds  the  weight  of  state  statute  to  the  department's  responsibility 
to  take  corrective  action. 

As  referenced  in  the  report,  Project  MetA  and  the  associated  POINTS  development 
provide  a  unique  opportunity  to  address  strategic  and  implementation- 
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specific  issues  identified  in  the  audit.   The  present  implementation  target  for  Phase  I  of 
POINTS  is  September,  1999. 

We  appreciate  the  opportunity  to  respond  and  thank  you  and  your  staff  for  their 
professional  conduct  and  courtesy  on  the  audit. 

Sincerely, 


SjfhjOLtuu   t&yif*— 


Mary  Bryson 
Director 
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